BT home hub and the GPL

I mentioned the Home Hub Blog in an earlier post. That author of that blog (amongst others) has been trying to find a way to unlock the Hub so that it can be used on ISPs other than BT itself. Unfortunately, BT seems to have tied the beast down (and ties it further with each upgrade of firmware). Worse, most users will be oblivious to the fact that BT can, and does, upgrade the Hub remotely. This may suit BT, but it does not suit all its customers – myself included.

The Home Hub blog author noted that the software in the Hub is a variant of an embedded Linux, with some additional code such as Samba. Given that all this code is covered by one or more variants of the GPL, BT is obliged to release the entire source code to anyone who asks, Access to the source code would, of course, allow anyone to identify where BT have locked the Hub, change it, recompile and reflash the Hub into an unlocked state. So HomeHubBlog wrote to BT – and he eventually gained a partial response. But not enough. See the Register article at The Register. This one could run and run.

My own experiments with the Hub tell me that it runs a Linux kernel 2.6.8.1. The FTP daemon on the Hub is so flakey however, that getting consistent access to the filesystem is very hit and miss. I commented on the Home Hub Blog at playing-around-with-ftp so I won’t repeat it here.

Several commentators have mentioned methods of getting root (superuser) access to the Hub CLI and FTP accounts. The method I have found most consistently successful is as follows:

Telnet to the Hub and log in as admin. At the command prompt type “user”, then type “flush” (this deletes all users). Now log out and log back in again, but this time log in as “root” (no password needed). Now go back to the user command subset and type “add”. Follow the prompts as below:

name=root

password=[your chosen password]

password=[repeat your chosen password]

descr=root (or any other description)

defuser=[leave blank – answering yes would make this the default user on login]

defremadmin=[leave blank – answering yes would make this the default remote admin user]

deflocaladmin=[leave bank – answering yes would make this the default local admin]

Bingo, you now have a root user. Now repeat the process for a named user (such as yourself) but give yourself the Administrator role. Make this user the default and the default local admin. Now save the configuration by going back to the top level of the CLI prompt system (type “..” to go back) and type “config save filname=user.ini”.

Note however that BT can overwrite this configuration, so you need to disable that. To do so you need to switch off CWMP (the CPE WAN Management Protocol) capability which allows BT to manage your router remotely. Bear in mind, however, that doing so will prevent BT automatically updating your router software if security problems are found – caveat emptor. To turn off CWMP, do the following:

at the top level CLI prompt, type “cwmp”, then at the cwmp prompt, type “config state=disabled”.

Your router is now unreachable.

(Again, you will need to save this configuration if you want this change to survive a reboot.)

Permanent link to this article: https://baldric.net/2007/01/22/bt-home-hub-and-the-gpl/

2 comments

I’ve got firmware version 6.2.2.6 on my Home Hub. BT have obviously found out about the back door method to get Super User permissions and disabled it on their later firmware. I can’t access the “user” command from Admin (Telnet), it says “Command Not Allowed”, meaning it recognises the command, but I haven’t got permission to use it.

I’ve tried other methods including trying to edit the “user.ini” config file on my hub to change Admin to SuperUser. On the browser page required to access the config load/save, I get asked for a Username & Password, and Admin isn’t accepted. Again I need SuperUser privileges to get into it in the first place. I’ve even tried to enable Remote Access by typing the relevant page into the browser, as this used to be another method. I get “remote access is disabled” and no options. BT seem to have got the Hub security pretty well locked down. The only other thing I could try is installing an older firmware, but even that may not be possible without having SuperUser privileges to start with. I’m too frightened to attempt a firmware downgrade in case it goes terribly wrong, rendering the hub useless.

My friend has got an even later firmware 6.2.6.C, with this BT have disabled Telnet completely. This makes me wander if there is still a way with my slightly older firmware, that I haven’t discovered yet, that’s probably why they disabled telnet completely. If I find it I will let you know.

I think it’s unfair they should be able to sell you equipment and not allow the owner to have full permissions. I can understand BT not wanting people to mess up their hub and come running to them for assistance, but BT should provide the SuperUser access on request on the understanding that if you mess it up, you will have to pay for assistance or buy a new hub.

The BT Home Hub is perfectly capable of being set up for any broadband provider if you know what your doing with SuperUser. The BT Home Hub is simply a “Thomson 7G” router with BTs configuration and software installed on it. The “Thomson 7G” router is designed for any network. You would probably need the firmware from the original router.

I don’t even want SuperUser privileges to access another broadband provider. Without SuperUser, I can’t get into the commands required to perform advanced traffic management.

One last thing, the firmware on a BT Home Hub is supposed to updated automatically across the network, that’s why BT don’t recommend you turn your Hub off. I don’t want the new firmware as then I’ve got no chance of hacking into it then. Also my hub is stable and I know some people have experienced problems with the latest firmware. If it work, why fix it. Do you know if there is any way to prevent this upgrade that could go ahead without my consent at any time in the future?

Firstly I should say that all my early experience of the hub dates from about a year ago with version 6.1.1M firmware. Since that date, BT have upgraded the image several times – partly to lock down some obvious holes (discussed here amongst other places) but more importantly in response to widely announced security vulnerabilities (see gnucitizen.org).. I have no experience of later images such as yours.

However, I’m not at all surprised that BT should have disabled some of the richer functionality found in earlier images. Nor am I surprised that they have now disabled access to the CLI via telnet – frankly in their position, so would I. Face it, they have umpteen thousand of these hubs to manage and they need to have them all in a state which allows them to update them remotely to new configurations whenever a security (or other) problem is discovered. Probably 99 point some large number of nines per cent of their customer base neither knows, nor cares about the inner working of the hub. That population of users /must/ be protected whenever security issues are discovered. The only way BT can hope to do this is by automatic remote management. This is why they enable, and use cwmp. They also have (or had) the capability of hands on remote management via WAN side remote assistance – but that in itself opens up vulnerabilities. I choose to lock out my ISP because I don’t like someone else controlling my router – but I’m in the minority.

I agree with you that it is unfair that BT can provide a service that locks you out. I much prefer to have control of my own destiny – but with that comes some risk. If I screw up, I can hardly complain to BT that my router has been compromised. I have also had some major disagreements with BT over the past year – mainly because their service is, frankly, appalling. It should be obvious from the posts here that I have (a) not used the hub for nearly a year, and (b) now moved away from BT because of their crap service.

If you choose to stay with BT and you don’t want them messing with your router then you have several options:

a) use a different router. But be aware that BT’s services such as VOIP are predicated on the assumption that you will be using a BT supplied hub. They will /not/ help you if you use a different device and have difficulties.

b) use their router but change its configuration to lock them out. It would seem from your comments that late versions of the firmware make this difficult. However, it is perfectly possible to reflash the hub to take an earlier image. See my latest post for details of how to reflash the hub with a 7G image. You can use exactly the same instructions to reflash the hub to an earlier BT image. Let me know if you want access to a copy, but there should be loads out there. Once you have installed the earlier image then you can disable cwmp and remote management and remove all default users and set your own. But be aware of the risk in using an early image of firmware which is vulnerable to remote exploit. If you are concerned about trashing your hub, then play with a spare. Hubs cost less than a tenner on ebay. Buy at least one to play with. Reflash to your heart’s content until you get a version working to your satisfaction. Lock it down. Lock BT out. Then substitute it for the one BT provided. Just don’t bother asking them for support afterwards.

c) use their router behind one of your own, or behind a NAT firewall such as ipcop. This can be complicated if you don’t know what you are doing, and may (more likely /will/) break some of the “services” BT are offering. Frankly this doesn’t offer much over option a, but can be useful in some circumstances.

psp

random

“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”